This applies to your own web session; it won’t work if you don’t control the browser. Otherwise you need a man-in-the-middle proxy. The procedures devoted to creating a secure key log file work on Linux and might work on BSD or Mac OS X.
Sometimes you need to look at the plaintext of your own TLS (formerly SSL) sessions. I was thinking of hacking the SSL library to get the keys out, but it turns out that has already been done, and is installed in the stock NSS library since version 3.14. Other programs using the NSS library will also use
SSLKEYLOGFILE. You could also use firefox extensions such as Live HTTP headers or maybe scriptish/greasemonkey to grab the data before it gets encrypted.
Anyway, here is how you make
wireshark decrypt an SSL session and save all of the files which were returned. These procedures ensure that the secret key files will be gone once you close the shell terminal window,
• Create a secure temporary file, open it in
bash for reading and writing as file descriptor 3, and delete it. From bash reference manual, exec builtin: “If no command is specified, redirections may be used to affect the current shell environment.”
$ f=$(mktemp); ls -l $f; exec 3<>$f; rm $f; ls $f; lsof -d3 -a -p$$ -rw-------. 1 edward edward 0 Sep 30 13:09 /tmp/tmp.VQw5BPHFlc ls: cannot access /tmp/tmp.VQw5BPHFlc: No such file or directory
COMMAND … FD … NAMEbash … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
• Quit from
firefox (that is absolutely essential), and restart it as a child of this
SSLKEYLOGFILE environment variable set to access file descriptor 3. For convenience, set
ffpid to the process ID of
&>/dev/null redirection of
stderr is necessary since the
$(…) command substitution would otherwise wait for firefox to exit. “There are two formats for redirecting standard output and standard error:
word , and
word . Of the two forms, the first is preferred. This is semantically equivalent to
wireshark with file descriptor 3 inherited from bash
umask set to create user only accessible files, because you plan to save confidential files.
$ wspid=$( umask 077; wireshark &>/dev/null & echo $! )
• Observe that both processes have inherited fd 3:
$ lsof -d3 -a -p$ffpid -p$wspid -p$$ COMMAND … FD … NAME bash … 3u … /tmp/tmp.VQw5BPHFlc (deleted) firefox … 3u … /tmp/tmp.VQw5BPHFlc (deleted) wireshark … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
• Next tell
wireshark to look for keys by opening and reading
Edit -> Preferences -> Protocol -> SSL
Set the Pre Master Secret log filename field to
wireshark will open, read, and close
/dev/fd/3 whenever it needs to learn a key.
$ strace -p $wspid -e open,read,close open("/dev/fd/3", O_RDONLY) = 14 read(14, "# SSL/TLS secrets log file, gene"..., 4096) = 4096 read(14, "d570ba9a80f1cf21339b84f7a0292a32"..., 4096) = 4096 read(14, "f877f2b17761c2bc39e852c2abb0a896"..., 4096) = 4096 read(14, "2ec71ec4c692ae0fe0344562376230\nC"..., 4096) = 3317 close(14) = 0
• Start a wireshark capture, filtering for HTTPS traffic only:
Capture options -> Capture filter ->
tcp port https
Then access the web page and view images, etc. that you want to save. To save the images in wireshark:
File -> Export Objects -> HTTP
and wait until the list of objects is filled. Then you can save some or all HTTP objects to disk.